Project

General

Profile

GTI9100GBootloaderFreedom » History » Version 32

Denis 'GNUtoo' Carikli, 03/27/2020 01:10 AM
Add MLO versions from bootloader interfaces

1 1 Denis 'GNUtoo' Carikli
h1. I9100GBootloader
2
3 9 Denis 'GNUtoo' Carikli
{{toc}}
4 3 Denis 'GNUtoo' Carikli
5 23 Denis 'GNUtoo' Carikli
h2. Findings, TODO and status
6
7 29 Denis 'GNUtoo' Carikli
* -The I9100G of hpagseddy is unsigned but the omap-usb-tool says the soc is in HS mode.-
8
* -If I recall well, the string was verified by hpagseddy, so MLO was flashed and ran-
9
* -MLO was flashed through heimdall frmo Android 4.x bootloader's odin mode-
10 23 Denis 'GNUtoo' Carikli
11
We need to solve this OMAP HS mystery:
12
* I've looked at u-boot, barebox, linux, crucible and I didn't find any driver or code for fuses for any OMAP SOC.
13
* GNUtoo is in Paris where we're confined in our homes due to COVID-19 and I can't afford to brick my GT-I9100G
14 29 Denis 'GNUtoo' Carikli
* -It might be due to the fuses having been programmed with the hash of a key / certificate but not being in enforcing mode.-
15 23 Denis 'GNUtoo' Carikli
* The website for breaking motorolla restricted boot is only about OMAP3 devices but it contains infos on the structure of signed MLO
16 24 Denis 'GNUtoo' Carikli
* I've extracted the MLO but I'm unsure of its size and when I sent it through USB to the bootrom it failed. It might be because of the sram size limit but anyway as I don't know how to parse signatures yet (I need to look at the wiki for breaking motorolla restricted boot) I'm unsure of the exact binary size to send. Once I can parse that stuff, I will know the exact size of the signed area and so of the binary.
17 23 Denis 'GNUtoo' Carikli
* I've not managed to get any difference by booting from mmc1
18 1 Denis 'GNUtoo' Carikli
* I've not dumped yet the usual register for booting configuration like SYS_BOOT
19 25 Denis 'GNUtoo' Carikli
20
TODO while reading the TRM:
21
* check the device's OMAP4 the sram size limit
22
* check the load address / memory mapping of MLO in case of USB boot or boot from eMMC.
23
* Check mmc1 booting constraint (card size, look if < 4GiB works)
24
* Read about SYS_BOOT and booting, though fuse infos is most probably missing
25
26 28 Denis 'GNUtoo' Carikli
TODO while reading code:
27
* check if chipsec has infos on OMAP fuses
28
29 1 Denis 'GNUtoo' Carikli
TODO other readings:
30
* Read more on the wiki against motorolla
31
* Try to find a way to access the OMAP wiki and look if there is any stuff on fuses and restricted boot
32
33
Upstreaming:
34
* If infos about fuses are ever found, ideally write drivers and upstream them in Linux, u-boot, Barebox and crucible
35
* Look if crucible is good for adding infos about OM pins, SYS_BOOT etc. Not sure if Linux exports such registers and where
36 29 Denis 'GNUtoo' Carikli
37
Last news 27/03/2919:
38
hpagseddy and GNUtoo tried several tests on their respective devices, and the device always ended up going to the battery charging screen:
39
* Building xloader and loaing it with omap-usb-boot through USB
40
* Same with the addition of a for(;;) loop in the code to see if it hangs (it's supposed to if the code runs)
41
* Same but with the watchdog being configured to reboot after 1 second (it's supposed to reboot if the code is correct and runs)
42
43
hpagseddy and GNUtoo also found that when using odin to flash the MLO partition, odin interface makes the user think that the MLO partition was flashed correctly, while odin didn't flash anything. That may be due to the partition being set Read-Only and/or to the "File Offset" and "File Size" being 0.
44
<pre>
45
-- Entry #0 ---
46
Binary Type: 0 (AP)
47
Device Type: 2 (MMC)
48
Identifier: 1
49
Attributes: 0 (Read-Only)
50
Update Attributes: 0
51
Partition Block Size/Offset: 0
52
Partition Block Count: 0
53
File Offset (Obsolete): 0
54
File Size (Obsolete): 0
55
Partition Name: X-loader
56
Flash Filename: MLO
57
FOTA Filename: 
58
</pre>
59
60 30 Denis 'GNUtoo' Carikli
We know that nothing was successfuly flashed as we dumped MLO, and verified that the binary was signed by looking if it contained the strings that indicate that (PRIMAPP, KEYS, CertPK_)
61 23 Denis 'GNUtoo' Carikli
62 32 Denis 'GNUtoo' Carikli
h2. MLO versions
63
64
|_. Device |_. Android version |_. String | Signed |
65
| I9100G_CHN_CHN | Android 2.3.6 | Texas Instruments X-Loader 1.41 (Mar 20 2012 - 11:20:26) | Yes |
66
| ? | Android 4.1.2 | Texas Instruments X-Loader 1.41 (Jun 27 2013 - 18:34:17) | Yes |
67
68 11 Denis 'GNUtoo' Carikli
h2. How to check if you have a signed bootloader
69 3 Denis 'GNUtoo' Carikli
70 11 Denis 'GNUtoo' Carikli
h3. How to check from the bootloader interface to install the recovery.
71 7 Denis 'GNUtoo' Carikli
72 8 Denis 'GNUtoo' Carikli
To do that you need to get into the ODIN MODE that is typically used to install the Replicant recovery:
73 1 Denis 'GNUtoo' Carikli
74 7 Denis 'GNUtoo' Carikli
# Start the device by holding the following key combination: *Volume down, Select, Power*,
75
# Hold the key combination until the device shows a *Warning* message.
76
# Confirm that you want to download a custom OS using volume up
77
# Make sure the device is in *Downloading* mode
78
79
When this is done, it should show some text:
80
<pre>
81
ODIN MODE
82
PRODUCT NAME: GT-I9100G_CHN_CHN
83
</pre>
84
85 10 Denis 'GNUtoo' Carikli
Here CHN_CHN probably refers to the Chinese version. And it looks like that version has a signed bootloader: According to "a thread on the XDA developers forum":https://forum.xda-developers.com/galaxy-s2/development/guide-repair-totally-sleep-dead-boot-t1701471 "Means that you own a chinese bootloader locked I9100G. You can't flash any other bootloader than the chinese one."
86 1 Denis 'GNUtoo' Carikli
87 12 Denis 'GNUtoo' Carikli
h3. How to check with command line utilities
88 5 Denis 'GNUtoo' Carikli
89 1 Denis 'GNUtoo' Carikli
To get the bootrom to try to boot on USB, you need to do the following:
90
* Connect the USB cable to the device but make sure it's not connected on the computer.
91
* Power off the device
92
* Connect the USB cable
93
94
If we do that, we get the following in the kernel log of your laptop:
95
<pre>
96
usb 1-1: new high-speed USB device number 24 using ehci-pci
97
usb 1-1: unable to get BOS descriptor or descriptor too short
98
usb 1-1: New USB device found, idVendor=0451, idProduct=d00f, bcdDevice= 0.00
99
usb 1-1: New USB device strings: Mfr=33, Product=37, SerialNumber=0
100
usb 1-1: Product: OMAP4430
101
usb 1-1: Manufacturer: Texas Instruments
102
</pre>
103
104 22 Denis 'GNUtoo' Carikli
Note that your kernel might need to be compiled with CONFIG_USB_ANNOUNCE_NEW_DEVICES=y
105
to print that. In Parabola CONFIG_USB_ANNOUNCE_NEW_DEVICES=y is enabled.
106
107 1 Denis 'GNUtoo' Carikli
We can also try to get a bit more infos with omap-usb-boot:
108
<pre>
109
$ sudo omap-usb-boot -v -w boot invalidbootmedia
110
Finding and opening USB device
111
Found and opened omap4 USB device: OMAP4430
112
ASIC device id: 4430, HS device
113
Booting from device invalidbootmedia...
114
Booting device invalidbootmedia not found
115
Booting from device failed
116
</pre>
117
118
Here we know the device is signed because it's a "HS device".
119
If it was not signed it would print "GP device" instead.
120 9 Denis 'GNUtoo' Carikli
121 11 Denis 'GNUtoo' Carikli
h3. Using the Android version or other devices properties?
122 9 Denis 'GNUtoo' Carikli
123 15 Denis 'GNUtoo' Carikli
"hpagseddy/i9100g_xloader":https://github.com/hpagseddy/i9100g_xloader is based on "ths-backup/i9100g_xloader":https://github.com/ths-backup/i9100g_xloader which has an ics (Icecream Sandwitch, an Android version) branch only. According to hpagseddy, that branch is also used for Android Jelly brean.
124 9 Denis 'GNUtoo' Carikli
125
It's still unclear if there is some correlation between Android version and signed bootloaders.
126
127
The device that was given to [[People#Denis-GNUtoo-Carikli|GNUtoo]] that has a signed bootloader also has the following characteristics:
128
129
*Software state*: Running the stock OS, unmodified
130
*Android version*: Android 2.3.6
131
*Baseband version*: IG9100GZCLC2
132
*Build number*: GINGERBREAD.ZCLC2
133
*Kernel version*: 2.6.35.7 se.infra@SEI-30#2
134
135 18 Denis 'GNUtoo' Carikli
According to "a thread on XDA":https://forum.xda-developers.com/galaxy-s2/development/bootloader-t1754158 there is a corelation between the @Baseband version@ and the geographic zone that is targeted. And as we can see above, the @Build number@ seem to be related to the @Baseband version@ as well. While the list of baseband versions is incomplete, we can still use it to avoid the Chinese version (CHN_CHN) which has a signed bootloader. 
136 17 Denis 'GNUtoo' Carikli
137
At this point it's also still unclear if any of the other characteristics above correlate to signed or unsigned bootloaders.
138 2 Denis 'GNUtoo' Carikli
139 20 Denis 'GNUtoo' Carikli
As the binaries are under the GPLv2 or later, It would also be a good idea to collect all of them, match them with the device characteristics like the @Build@ number and @Baseband version@, and verify if they are signed or not with some free software tool.
140 19 Denis 'GNUtoo' Carikli
141 21 Denis 'GNUtoo' Carikli
We could even publish the unsigned versions. As for the signed versions, if they cannot run on devices that don't enforce bootloader signatures, it would probably not be a good idea to publish them as the binaries wouldn't respect the 4 freedoms, but we can still check with the FSF if they have good ideas on that point.
142
143 2 Denis 'GNUtoo' Carikli
h2. Source code
144
145
* https://github.com/hpagseddy/i9100g_xloader This got rebuilt and flashed, and it worked on the device it was tested on.
146
* https://blog.the-leviathan.ch/?p=408
147
148 1 Denis 'GNUtoo' Carikli
h2. TODO
149
150 16 Denis 'GNUtoo' Carikli
* Document the various firmware version mentioned here: https://www.sammobile.com/samsung/galaxy-s2/firmware/#GT-I9100G
151 1 Denis 'GNUtoo' Carikli
* Understand how to get unsigned versions (Android version, serial number, etc)
152 13 Denis 'GNUtoo' Carikli
* Get a device with an unsigned bootloader and u-boot and ask samsung for source code
153 14 Denis 'GNUtoo' Carikli
* Check the boot order on unsigned devices (is it possible to boot from USB easily?)
154 6 Denis 'GNUtoo' Carikli
* Try to boot the xloader nevertheless, as the device could be in some "verify but not enforce mode" for signatures